MapGuide RFC 168 - Upgrade Apache, Tomcat and PHP

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

MapGuide RFC 168 - Upgrade Apache, Tomcat and PHP

Jackie Ng
Hi All,

I've put up a new RFC for review:
https://trac.osgeo.org/mapguide/wiki/MapGuideRfc168

Comments/feedback appreciated.

- Jackie



--
Sent from: http://osgeo-org.1560.x6.nabble.com/MapGuide-Internals-f4209935.html
_______________________________________________
mapguide-internals mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapguide-internals
Reply | Threaded
Open this post in threaded view
|

Re: MapGuide RFC 168 - Upgrade Apache, Tomcat and PHP

RenoSun
I read it. If there some great concerns not upgrading Apache, Tomcat and PHP,
I think is good to have 3.1.2. If the PHP version is not up to date, what's
the major risk for the mapguide users? Just really want to understand the
risk of it.



--
Sent from: http://osgeo-org.1560.x6.nabble.com/MapGuide-Internals-f4209935.html
_______________________________________________
mapguide-internals mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapguide-internals
Reply | Threaded
Open this post in threaded view
|

Re: MapGuide RFC 168 - Upgrade Apache, Tomcat and PHP

Jackie Ng
There are several driving forces at work right now:

 1. PHP 5.6.x will be end of life (it will no longer receive any bugfixes or
support) at the end of this year

 2. PHP 5.6 to PHP 7.x migration of the MapGuide API binding has been a
difficult and time-consuming process. While I have the basic groundwork in
place for a functional PHP 7 MapGuide API binding (via:
https://github.com/jumpinjackie/mapguide-api-bindings), this binding needs
time in the oven to iron out any problems that will inevitably appear when
we start porting across existing MapGuide PHP applications on top of this
new binding (mapdmin, fusion, ajax viewer, etc)

 3. This has stretched out the release date of the next major version of
MapGuide (3.3) that has already been stretched due to diminishing developer
resources. We cannot ship 3.3 with PHP 5.6.x

 4. But at the same time, there hasn't been a release of MapGuide (major or
minor) since early April this year. So since 3.3 is still some time away,
and 3.1 is still on the PHP 5.6.x series, the very least we can/should do in
the interim is to put out a 3.1.2 release and make sure that its bundled
copy of PHP 5.6 is the last 5.6.x version before EOL (5.6.39). And since PHP
is getting upgraded, we might as well roll in updated Apache and Tomcat as
well. This is the motivation for this RFC.

So what does this mean in terms of risk for MapGuide users who roll 3.1.2
out into production (when it comes out)? They'll be running a version of PHP
that is no longer supported, but you can say the same thing for any
preceding version of MapGuide currently out there.

I guess as long as you lock down the PHP installation on production with a
minimal attack surface (only enable the minimally required settings/features
in PHP so that the MapGuide PHP applications work and nothing more), things
should be fine. If you don't use fusion, mapadmin, or any of the other
supporting MapGuide PHP applications, you can remove PHP altogether and be
business as usual. If something in breaks in your bundled PHP after 31st
December 2018 or new PHP-level security vulnerabilities are discovered after
this date, you're on your own. That's the risky part.

- Jackie



--
Sent from: http://osgeo-org.1560.x6.nabble.com/MapGuide-Internals-f4209935.html
_______________________________________________
mapguide-internals mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapguide-internals
Reply | Threaded
Open this post in threaded view
|

Re: MapGuide RFC 168 - Upgrade Apache, Tomcat and PHP

Martin Morrison
So what will it take to finish the upgrade?  Just testing?

On a side note, what is Autodesk's involvement at this point?  Is everything open-sourced or are they still maintaining control of some aspects?

Martin Morrison     
Infrastructure Application Engineer/Systems Analyst
 Engineering Design Systems, Inc.
540.345.1410
[hidden email]


-----Original Message-----
From: mapguide-internals <[hidden email]> On Behalf Of Jackie Ng
Sent: Thursday, December 13, 2018 8:37 AM
To: [hidden email]
Subject: Re: [mapguide-internals] MapGuide RFC 168 - Upgrade Apache, Tomcat and PHP

There are several driving forces at work right now:

 1. PHP 5.6.x will be end of life (it will no longer receive any bugfixes or
support) at the end of this year

 2. PHP 5.6 to PHP 7.x migration of the MapGuide API binding has been a difficult and time-consuming process. While I have the basic groundwork in place for a functional PHP 7 MapGuide API binding (via:
https://github.com/jumpinjackie/mapguide-api-bindings), this binding needs time in the oven to iron out any problems that will inevitably appear when we start porting across existing MapGuide PHP applications on top of this new binding (mapdmin, fusion, ajax viewer, etc)

 3. This has stretched out the release date of the next major version of MapGuide (3.3) that has already been stretched due to diminishing developer resources. We cannot ship 3.3 with PHP 5.6.x

 4. But at the same time, there hasn't been a release of MapGuide (major or
minor) since early April this year. So since 3.3 is still some time away, and 3.1 is still on the PHP 5.6.x series, the very least we can/should do in the interim is to put out a 3.1.2 release and make sure that its bundled copy of PHP 5.6 is the last 5.6.x version before EOL (5.6.39). And since PHP is getting upgraded, we might as well roll in updated Apache and Tomcat as well. This is the motivation for this RFC.

So what does this mean in terms of risk for MapGuide users who roll 3.1.2 out into production (when it comes out)? They'll be running a version of PHP that is no longer supported, but you can say the same thing for any preceding version of MapGuide currently out there.

I guess as long as you lock down the PHP installation on production with a minimal attack surface (only enable the minimally required settings/features in PHP so that the MapGuide PHP applications work and nothing more), things should be fine. If you don't use fusion, mapadmin, or any of the other supporting MapGuide PHP applications, you can remove PHP altogether and be business as usual. If something in breaks in your bundled PHP after 31st December 2018 or new PHP-level security vulnerabilities are discovered after this date, you're on your own. That's the risky part.

- Jackie



--
Sent from: http://osgeo-org.1560.x6.nabble.com/MapGuide-Internals-f4209935.html
_______________________________________________
mapguide-internals mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapguide-internals
_______________________________________________
mapguide-internals mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapguide-internals
Reply | Threaded
Open this post in threaded view
|

Re: MapGuide RFC 168 - Upgrade Apache, Tomcat and PHP

GordonL
In reply to this post by Jackie Ng
I think sticking with the old version of php for now does not need to be a
show stopper to get get a build out.




--
Sent from: http://osgeo-org.1560.x6.nabble.com/MapGuide-Internals-f4209935.html
_______________________________________________
mapguide-internals mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapguide-internals
Reply | Threaded
Open this post in threaded view
|

Re: MapGuide RFC 168 - Upgrade Apache, Tomcat and PHP

Jackie Ng
In reply to this post by Martin Morrison
At a minimum, this list needs to be checked off:

https://github.com/jumpinjackie/mapguide-api-bindings/issues/21

And we have to then port mapadmin/schemareport/fusion/mapviewerphp across
and make sure they work under a PHP 7 MapGuide binding as the minimal
"acceptance test".

As for adsk involvement. I think they've completely dropped off for
MapGuide. FDO they're still around.

- Jackie



--
Sent from: http://osgeo-org.1560.x6.nabble.com/MapGuide-Internals-f4209935.html
_______________________________________________
mapguide-internals mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/mapguide-internals